diff --git a/App-Security.md b/App-Security.md
index 4491bba..b571cb7 100644
--- a/App-Security.md
+++ b/App-Security.md
@@ -21,6 +21,13 @@ From ``./lint --show AllowBackup``:
     * The only argument, I can think of is protecting against root apps dumping the database and then gaining access to all public keys and thus a nice social graph, but hey, there are easier ways to get that information, maybe simply dumping the address database ;)
     * SQLCipher makes sense for apps such as TextSecure or Threema to protect the **decrypted** messages, but OpenKeychain does not store anything besides keys.
 
+### Anyone can delete my secret keys!
+Yes.
+    * Anyone can simply delete the app data from Android OS without a passphrase
+    * Asking for a passphrase before delete would prevent you from deleting keys where you forgot your passphrase
+
+### Why ask for passphrase when exporting?
+It is not required cryptographically, but prevents simple stealing of your keys.
 
 ### So how to backup/synchronize keys?
 * Synchronize public keys with keyservers -> you achieve the same certifications on all modern OpenPGP clients